try vault kvv2 secret engine

2024-10-16 14:02:58 +02:00
parent 32afe88a9b
commit 13870390a3
4 changed files with 42 additions and 2 deletions
--- a/chart/templates/vaultauth.yaml
+++ b/chart/templates/vaultauth.yaml
@@ -0,0 +1,13 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: static-auth
+  namespace: {{ .Release.Namespace }}
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: webapp
+    serviceAccount: {{ include "webapp.serviceAccountName" . }}
+    audiences:
+      - vault
--- a/chart/templates/vaultsecret.yaml
+++ b/chart/templates/vaultsecret.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: vault-kv-app
+  namespace: {{ .Release.Namespace }}
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: kvv2
+
+  # path of the secret
+  path: webapp/config
+
+  # dest k8s secret
+  destination:
+    name: secretkv
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: static-auth
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -16,7 +16,7 @@ fullnameOverride: ""

 serviceAccount:
  # Specifies whether a service account should be created
-  create: false
+  create: true
  # Automatically mount a ServiceAccount's API credentials?
  automount: true
  # Annotations to add to the service account
--- a/main.go
+++ b/main.go
@@ -153,6 +153,10 @@ func oauth2_callback(w http.ResponseWriter, r *http.Request) {
 	authorityHeader := r.Header.Get(":authority")
 	if oauthAllowedHttp2Authority != "" && authorityHeader != oauthAllowedHttp2Authority {
 		fmt.Println(":authority: "+authorityHeader)
+		fmt.Println("received headers")
+		for key, value := range r.Header {
+			fmt.Printf("%s='%s'\n", key, value)
+		}
 		http.Error(w, "Access denied: invalid referer or origin", http.StatusForbidden)
 		return
 	}
@@ -409,7 +413,6 @@ func main() {
 	// Start the HTTP server
 	port := ":8080"
 	log.Printf("Server starting on port %s\n", port)
-	fmt.Println("new version indeed")
 	err = http.ListenAndServe(port, nil)
 	if err != nil {
 		log.Fatalf("Server failed to start: %v", err)